Class Action Claims Walgreens Data Breach Placed Customers’ Private Health Info ‘In the Hands of Thieves’

New to ClassAction.org? Read our Newswire Disclaimer

Walgreen Company has been hit with a proposed class action lawsuit in the wake of a September 2019 data breach that reportedly exposed the personal and health-related information of potentially thousands of online customers.

According to the case, Walgreens on September 26, 2019 noticed “abnormal activity” on a “limited number” of Walgreens.com customer accounts. Upon investigation, the company discovered that unauthorized third parties had used valid login credentials from other websites to gain access to customers’ personally identifiable information, as well as protected health data, stored on Walgreens’ website, the suit says.

The exposed information allegedly included:

The case claims the data breach was a direct result of Walgreen Company’s failure to implement “adequate and reasonable” cybersecurity measures in line with industry standards. Despite assurances in the pharmacy chain’s privacy policy, as well as its obligation under HIPAA (Health Insurance Portability and Accountability Act) to protect customers’ medical information, Walgreens negligently failed to put in place even “basic security procedures” such as those recommended by the Federal Trade Commission, the lawsuit argues.

The case claims that although the defendant had the resources necessary to prevent the breach, the company refused to “adequately invest” in proper data security and ultimately allowed customers’ private personal and health information to fall into “the hands of thieves.”

“Had Defendant remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field, it would have prevented the intrusions into their systems and, ultimately, the theft of [personally identifiable information and protected health information],” the complaint reads.

The lawsuit goes on to criticize Walgreens’ response to the breach, stressing that although the company had identified affected customers as early as October 5, 2019, it waited until December 3 to send notice of the breach. Moreover, Walgreens has failed to offer affected customers “any compensation or additional protective services” such as credit monitoring or fraud remediation, according to the case. The suit argues that Walgreens’ suggestion that customers change their passwords and “remain vigilant” is “wholly inadequate” considering victims may face “multiple years of ongoing identity theft and fraud” due to the exposure of their private information.

The lawsuit looks to cover anyone whose personally identifiable information and protected health information was compromised in the data breach announced by Walgreens in December 2019.